ClawHub

Agent Native Design

Security checks across malware telemetry and agentic risk

Overview

This is a coherent CLI design-review skill with disclosed install/update behavior and no evidence of hidden data access, destructive actions, or exfiltration.

Reasonable to install if you trust the publisher and repository. Prefer ClawHub or a pinned Git revision for manual installs, review changes before approving any git pull, and treat the authentication examples as design advice for your own CLIs rather than permission for the skill itself to handle secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Low
Confidence
79% confidence
Finding
The installation guidance encourages users to ask an agent to clone a repository directly into privileged skill-loading directories without an explicit warning that this writes to disk and may cause the host platform to load new behavior. In the context of agent skills, that lowers user awareness around a trust boundary and can normalize delegated installation of unreviewed code/content, increasing supply-chain and persistence risk.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The manifest explicitly enables implicit invocation (`allow_implicit_invocation: true`) without any visible trigger constraints, exclusions, or additional gating. That can cause the skill to be auto-selected in broader contexts than intended, increasing the chance that an agent invokes design or refactoring guidance on sensitive CLI/authentication topics without clear user intent or review.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal